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FOREWORD 


1.  A  key  responsibility  assigned  by  the  “National  Policy  for  the  Security  of  National  Security 
Telecommunications  and  Information  Systems,”  dated  5  July  1990,  is  to  ensure  the  development  and 
implementation  of  a  comprehensive  approach  to  protect  U.S.  Government  national  security  information  systems. 
The  success  of  this  program  depends  not  only  on  the  technical  implementations  of  policies,  but  also  on  the 
integration  of  human  interfaces  with  automated  systems.  Education,  training,  and  awareness  are  countermeasures 
that  effectively  reduce  exposure  to  a  variety  of  known  risks.  In  order  to  achieve  this  end,  it  is  essential  to  have  a 
federal  work  force  that  is  aware  of,  and  educated  about,  the  problems  of  information  systems  security  (INFOSEC). 
This  directive  is  issued  in  response  to  the  national  policy  and  establishes  the  requirement  for  federal  departments 
and  agencies  to  develop  and  implement  INFOSEC  education,  training  and  awareness  programs.  This  directive 
supersedes  NTISS  Directive  No.  500,  “Telecommunications  and  Automated  Information  Systems  Security 
Education,  Training,  and  Awareness,”  dated  8  June  1987. 

2.  Representatives  of  the  National  Security  Telecommunications  and  Information  Systems  Security 
Committee  may  obtain  additional  copies  of  this  directive  from: 

Executive  Secretariat 

National  Security  Telecommunications  and 
Information  Systems  Security  Committee 

National  Security  Agency 

9800  Savage  Road 

Fort  George  G.  Meade,  MD  20755-6000 

3.  U.S.  Government  contractors  are  to  contact  their  appropriate  government  agency  or  Contracting  Officer 
representative  regarding  distribution  of  this  document. 


CHARLES  A.  HAWKINS,  JR. 
Acting 


INFORMATION  SYSTEMS  SECURITY  (INFOSEC) 
EDUCATION,  TRAINING,  AND  AWARENESS 


NSTISSD  No.  500 


SECTION  I -  PURPOSE 

1.  This  directive  establishes  the  requirement  for  federal  departments  and  agencies  to  develop  and  implement 
information  systems  security  (INFOSEC)  education,  training  and  awareness  programs  for  national  security 
systems. 


SECTION  n  -  SCOPE  AND  APPLICABILITY 

2.  This  directive  is  applicable  to  all  departments  and  agencies  of  the  U.S.  Government,  their  employees,  and 
contractors  who  develop,  acquire,  manage,  or  use  information  systems  operated  by  or  on  behalf  of  the  Federal 
Government  to  store,  use,  process,  transmit,  or  communicate  national  security  information. 

SECTION  III  -  AUTHORITY 

3.  This  directive  is  issued  pursuant  to  “National  Policy  for  the  Security  of  National  Security 
Telecommunications  and  Information  Systems,”  dated  5  July  1990,  which  mandates  the  development  and 
implementation  of  a  comprehensive  approach  to  protect  U.S.  Government  national  security  information  systems. 

IV  ■  DEFINITIONS 

4.  Definitions  for  terminology  used  in  this  directive  may  be  found  in  NSTISSI  No.  4009,  “National  Information 
Systems  Security  (INFOSEC)  Glossary,”  dated  5  June  1992. 

SECTION  V  -  RATIONALE  AND  OBJECTIVES 

5.  The  evolution  of  information  processing  technologies  has  enabled  the  Federal  Government  to  transmit, 
communicate,  collect,  process,  and  store  unprecedented  amounts  of  information.  The  use  of  information  systems 
by  the  Federal  Government  has  focused  attention  on  the  need  to  ensure  that  these  assets  (i.e.,  hardware,  software, 
and  processing  capabilities)  and  the  information  they  process  are  protected  from  actions  that  would  jeopardize  the 
ability  of  departments  and  agencies  to  effectively  and  accurately  perform  official  functions.  The  responsibility  for 
securing  this  information  and  the  systems  on  which  it  is  processed  lies  with  the  head  of  the  federal  department  or 
agency  to  whom  the  information  and  resources  are  entrusted. 

6.  The  objective  of  this  directive  is  to  require  the  implementation  of  programs  to  enhance  awareness  of  all 
persons  within  these  departments  and  agencies  of  the  need  to  ensure  the  protection  of  information  in  systems,  as 
well  as  systems  resources  and  capabilities;  to  enhance  the  public’s  confidence  in  the  Federal  Government’s  ability 
to  provide  information  systems  protection;  and  to  promote  the  protection  of  information  systems  at  the  national 
level  through  an  education,  training,  and  awareness  program  that  promotes  a  uniform  and  consistent 
understanding  of  the  principles  and  concepts  of  INFOSEC. 
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SECTION  VI  -  INFOSEC  EDUCATION.  TRAINING.  AND  AWARENESS 

7.  INFOSEC  education,  training,  and  awareness  activities  are  required  for  all  employees.  Such  a 
comprehensive  effort  must  meet  the  varying  levels  of  knowledge,  experience,  and  responsibilities  of  employees, 
as  well  as  the  specific  needs  of  individual  departments  and  agencies.  There  are  certain  messages  that  need  to  be 
conveyed: 

a.  Organizations  critically  rely  on  information  and  information  systems’  resources. 

b.  The  organization,  through  its  management,  commits  to  protect  information  and  information  systems’ 
resources. 

c.  There  are  threats,  vulnerabilities,  and  related  risks  associated  with  the  organization’s  information  systems. 

d.  There  are  consequences  from  the  lack  of  adequate  protection  of  the  organization’s  information  systems’ 
resources. 

e.  The  employee  is  the  essential  element  of  a  successful  protection  program. 

8.  Every  INFOSEC  education,  training,  and  awareness  program  will  contain  three  types  of  activities:  initial 
orientation,  more  advanced  education  and  training  commensurate  with  duties  and  responsibilities,  and 
reinforcement  activities. 

9.  All  training  activities  pursuant  to  the  requirements  of  this  directive  shall  be  conducted  by  individuals  who 
are  knowledgeable  of  INFOSEC  principles  and  concepts,  as  well  as  their  application. 

SECTION  vn  -  RESPONSIBILITIES 

10.  Each  federal  department  and  agency  will: 

a.  Develop,  implement,  and  evaluate  an  INFOSEC  education,  training,  and  awareness  program  in 
accordance  with  the  National  Manager  guidelines. 

b.  Require  contractors  to  comply  with  the  provisions  of  this  directive  whenever  they  develop,  acquire, 
manage,  or  use  information  systems  operated  by,  or  on  behalf  of,  the  Federal  Government  to  store,  use,  process, 
or  communicate  national  security  information.  For  contractors,  the  terms  of  the  contract  shall  specify  this 
requirement. 

c.  Consistent  with  applicable  laws,  security  requirements,  department  and  agency  policy,  and  resource 
availability,  make  information  copies  of  INFOSEC  education,  training,  and  awareness  materials  available  to  the 
National  Manager  in  furtherance  of  the  responsibility  assigned  in  paragraph  1  l.c.  below. 

11.  The  National  Manager  will: 

a.  Develop  INFOSEC  education,  training  and  awareness  program  guidelines  and  provide  these  to  federal 
departments  and  agencies,  including  federal  contractors,  as  requested. 

b.  Ensure  that  appropriate  education,  training,  and  awareness  materials  are  developed  on  INFOSEC  policies, 
standards,  criteria,  products,  and  technologies  that  result  from  federal  or  federally  sponsored  efforts. 
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c.  Subject  to  the  approval  of  the  originating  department  or  agency,  and  consistent  with  applicable  laws  and 
security  requirements,  collect  and  maintain  information  on  INFOSEC  education,  training,  and  awareness 
programs.  Make  such  information  available  to  government  departments,  agencies,  and  federal  contractors,  as 
requested. 

d.  Develop  and  conduct,  or  assist  other  federal  departments  and  agencies  in  developing  and  conducting, 
INFOSEC  education,  training,  and  awareness  activities,  as  requested. 
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